The URL can be used to link to this page

Home My WebLink AboutPR 15401: "RED FLAG" - IDENTITY THEFT PREVENTION PROGRAMMemorandum City of Port Arthur, Texas To: Steve Fitzgibbons, City Manager From: Rebecca Underhill, Assistant City Date: July 23, 2009 Subject: Proposed Resolution 15401 Presented for Council approval is PR 15401 approving the development implementation and administration of a "Red Flag" Identity Theft Prevention Program. PR 15401 JJA/7/23/09 RESOLUTION NO. A RESOLUTION ADOPTING THE CITY OF PORT ARTHUR, TEXAS RED FLAG IDENTITY THEFT' PREVENTION PROGRAM AUTHORIZING THE CITY MANAGER TO DEVELOP, IMPLEMENT, ADMINISTER AND ADIEND THE PROGRAM; AND PROVIDING AN EFFECTIVE DATE. WHEREAS, identity thieves use peoples personal identifying information to open new accounts and misuse existing accounts, creating havoc for consumers and businesses; and WHEREAS, the Federal Trade Commission (FTC), the federal bank regulatory agencies, and the National Credit Union Administration (NCUA) have issued regulations, known as the Red Flags Rules requiring financial institutions and creditors to develop and implement written identity theft prevention progams, as part of the Fair and Accurate Credit Transactions Act of 2003; and WHEREAS, the programs must be in place by August 1, 2009, and must provide for the identification, detection, and response to patterns, practices, or specific activities -known as "red flags" - that could indicate identity thefr; and WHEREAS, the FTC has determined that cities are creditors for purposes of the Red Flag Rules and must develop and implement written identity theft prevention programs, as part of the Fair and Accurate Credit Transactions Act of 2003; and WHEREAS, the City Council has been presented a proposed identity theft prevention program, a copy of which is attached hereto as Exhibit "A' and incorporated herein by reference; and WHEREAS, upon full review and consideration of the City of Port Arthur Red Flag Identity Theft Prevention Program, and all matters related thereto, the City Council is of the opinion and finds that the Progam should be adopted, and that the City Manager should be authorized to develop, implement, administer and amend the Program on behalf of the City of Port Arthur, Texas. 1 NOW, THEREFORE, BE IT RESOLVED BY THE CITY COUNCIL OF THE CITY OF RICHARDSON, TEXAS: SECTION 1. The City of Port Arthur Red Flag Identity Theft Prevention Program attached hereto as Exhibit "A" having been reviewed by the City Council of the City of Port Arthur, Texas, and found to be acceptable and in the best interest of the City and its citizens, be, and the same is hereby, adopted. The City Manager is hereby authorized to develop, implement, administer and amend the Program on behalf of the City of Port Arthur, Texas SECTION 2. This Resolution shall become effective immediately from and after its passage. READ, ADOPTED, AND APPROVED, this day of July, 2009, AD, at a Regular Meeting of the City Council of the City of Port Arthur, Texas by the following vote: AYES: Mayor: Councilmembers: NOES: Mayor ATTEST: Terri Hank, City Secretary APPROVED AS TO FORM: Mark Sokolov, ity Attorney APPROVED FOR ADMINISTRATION: to e Fitzgibb ,City Manager Rebecca Underhill, Assistant City Manager z/finance/ruolu[ions/PRI5401 Adopting Red Flag policy Exhibit A City of Port Arthur Red Flag Identity Theft Prevention Program ARTICLE I PURPOSE AND NEED FOR POLICY Title 16, Part 681 of the Code of Federal Regulations requires that the City develop a program to detect, prevent, and mitigate identity theft in connection with qualifying Covered Accounts (Article II). The Red Flag Identity Theft Prevention Program ("Program") addresses the methods, procedures and practices which must be exercised to ensure compliance with these regulations. ARTICLE II SCOPE The Red Flag Identity Theft Prevention Program applies to all accounts maintained by the City of Port Arthur for the purposes of maintaining a continuing financial relationship for personal, family, household, or business purposes. Additionally, these accounts are maintained to facilitate an exchange of goods or services and the City defers payment for these goods or services and assumes a creditor relationship. The following accounts are considered to be Covered Accounts under this policy: 1) Utility accounts maintained by the Water Customer Service Division; 2) Mowing Lien accounts maintained by the Finance Department; 3) Other Lien accounts maintained by the Finance Department; and 4) Any other account for which it is determined that the City is deferring payment for a good or service and the intention is to maintain an ongoing financial relationship. The following accounts are not considered to be Covered Accounts under this policy: 1) Miscellaneous Receivable accounts maintained by the Finance Department; 2) Court Receivable accounts maintained by the Municipal Court; and 3) Any other account for which it is determined that the City does not intend to defer payment for a good or service, or that the City does not intend to maintain an ongoing financial relationship. 3 ARTICLE III PROGRAM ADMINISTRATION A. Oversight and Administration Management responsibility to establish written procedures for the operation of the Red Flag Identity Theft Prevention Progam and administer the Program has been assigned to the City Manager. The City Manager has delegated this responsibility to the Director of Finance. B. Program Revisions Finance staff shall annually review the Program and determine if changes to this policy are required. Recommended changes to the Program should be based on the following factors: 1) The City's experience with identity theft situations; 2) Changes in the methods of identity theft; 3) Changes in the methods used to detect or prevent identity theft; and 4) Changes in the kinds of accounts that the City utilizes. The City Manager is authorized to revise the Progam as needed to comply with additional regulations or to implement changes that are recommended by City staff in order to better protect against the potential of identity theft in relation to customer accounts maintained by the City. C. Reporting Finance staff shall annually provide to the City Manager a report detailing the City's compliance with this policy. The report should contain an overview of the City's Program, an evaluation of the effectiveness of the Progam, a review of any significant incidents involving identity theft and management's response, and any recommended changes to the Program. D. Training Finance staff shall develop training materials which will be used in the implementation of the Program. Materials and training will be provided to City staff members who are routinely engaged in transactions which involve Covered Accounts. Training materials will be updated as needed to reflect changes in the Program. ARTICLE IV OBJECTIVES A. Identification of Relevant Red Flags The Program will define Red Flags, warning signs that identity theft may be occumng, which are applicable to the accounts covered by this policy (Article V). B. Detection of Red Flags The Program will outline the policies and procedures which will be implemented to assist City staff in detecting Red Flags which may be occurring in relation to financial transactions. C. Mitigation of Identity Theft The Program will outline the steps that city staff will take to mitigate the potential for identity theft once a Red Flag has been identified. 4 ARTICLE V RELEVANT RED FLAGS Red Flags are warning signs that identity theft maybe occurring. Red Flags do not indicate that identity theft is occurring, but when discovered, should be investigated to determine what action the City should take. Staff has identified the following Red Flags that are applicable to the City's operations: 1) Documents provided for identification appear to have been altered of forged. 2) The photograph or physical description on the identification is not consistent with the appearance of the customer presenting identification. 3) Other information on the identification is not consistent with information provided by the persons opening an account. 4) Other information on the identification is not consistent with information on file with the City. 5) The address on an application is fictitious or a mail drop. 6) The phone number provided is inva]id or is associated with a pager or answering service. 7) The Social Security Number or Driver's License Number is the same as that of another customer. 8) The person opening an account fails to provide all required information on an application or in response to notification that the application is incomplete. 9) Shortly after a transfer of service or setup of new service, the City receives a request to add other responsible parties to the account. 10)Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the account. I1) The City is notified ofunauthorized transactions in connection with the City's accounts. 12) The City is notified by a customer, a victim of identity thefr, or law enforcement that identity theft may have occurred in connection with the City's accounts. 13) A complaint or question from an individual based on the person's receipt of: A bill for another individual; A bill for service that the individual denies receiving; A bill from a health care pro~~ider that the patient never patronized; ARTICLE VI PREVENTION PROCEDURES -WATER CUSTOMER SERVICE A. New Account Activation Effective August 1, 2009, all requests for new service must be accompanied by staff verification of proper identification. 1) Applicants must show a government issued photo ID to initiate service. 2) Applications must be submitted by the responsible party. Parents, siblings, or any other interested party cannot activate service on behalf of another person. a. A spouse maybe listed as a responsible party without the spouse being present. B. Data Security Water Customer Service staff shall maintain the security and integrity of personal information which is provided by customers. 1) All employees are subject to a criminal background check conducted by the Human Resources Department prior to hiring. 2) Employees are assigned security levels in the utility billing system which limit access to electronic records that contain personal information. Only Customer Service Representatives, the Senior Customer Service Representative -Billing, and the Customer Service Manager have the ability to access personal information once it has been entered into the utility billing system. All other employees are limited to inquiry access and personal information is masked. 3) Access to the utility billing software requires a password assigned by the Information Services System Administrator. The software will permit three unsuccessful sign-on attempts and then disable the password. Upon termination of service, employee passwords are immediately disabled. 4) After service has been established, personal identification is only to be used as a means to verify customer identification, or for bad debt collection purposes. 5) Hard copies of credit card information and service applications aze stored in the Finance Department vault. Access to the vault is monitored during the day and the vault is locked at night. Only Senior Customer Service Representatives or senior management can access the vault after hours. 6) All copies of credit card receipts, whether given to the customer or maintained by the city, contain truncated credit cazd information. Truncation indicates that only the last four digits of a credit cazd aze displayed on the card receipt and expiration information and the remaining card digits are masked. C. Data Retention Records are disposed of in accordance with state and federal laws, including the local records retention schedule issued by the Texas State Library and Archives Commission. D. Training Each Water Customer Service staff member will receive training in the requirements of the Red Flag Identity Theft Program. I) The City will conduct annual training for all current employees of the Water Customer Service Department. 6 2) Annual training will include the requirements of the Red Flag Identity Theft Program as well as information on identity then trends and prevention conducted by the Port Arthur Police Department, members of the banking community, or other recognized experts in the area of identity theft. 3) The requirements of the Red Flag Identity Theft Progam will be incorporated into the initial training for all new hires. ARTICLE VII PREVENTION PROCEDURES -FINANCE DEPARTMENT A. Mowing and other Lien Accounts Accounts for Mowing Liens are set up based on the legal ownership of affected properties as determined by the Jefferson County Appraisal District. Persona] identifying information is not required to be maintained in order to service individual accounts. ARTICLE VIII MITIGATION PROCEDURES -WATER CUSTOMER SERVICE A. Notification of Potential Identity Theft The City of Port Arthur maintains a zero tolerance policy for all transactions which involve identity theft. 1) If a staff member becomes awaze of a situation where identity theft may be occurring in regazd to a customer account, they will notify the Customer Service Manager of the circumstances of the transaction. 2) The Customer Service Manager will review the transaction and determine if an investigation is warranted. B. Notification of Actual Identity Theft The City of Port Arthur maintains a zero tolerance policy for all transactions which involve identity theft. 1) If notification is received from a customer or a banking institution that identity theft has occurred in regard to a customer account, staff members are to notify the Customer Service Manager of the circumstances of the transaction. 2) Customers will be directed to notify their bank or credit cazd provider of the details of the transaction if they have not done so. 3) After notification from the bank, the customer's account will be corrected and staff will gather information relating to the transaction. This information will be fumed over to the Port Arthur Police Department for further investigation. C. Reporting Procedures 1) The Controller will notify Water Customer Service staff of any reports from the bank which indicate fraudulent transactions involving utility accounts. 2) The Customer Service Manager will notify the Finance Director of any potential or actual identity theft which City staff becomes aware of. 3) The Finance Director will maintain a log of all transactions involving identity theft and the steps taken to determine if actual identity thefr occurred as well as the resolution of each case. 7